<!doctype html>

<html>
<head>
  <link rel="shortcut icon" href="static/images/favicon.ico" type="image/x-icon">
  <title>safestyle.js (Closure Library API Documentation - JavaScript)</title>
  <link rel="stylesheet" href="static/css/base.css">
  <link rel="stylesheet" href="static/css/doc.css">
  <link rel="stylesheet" href="static/css/sidetree.css">
  <link rel="stylesheet" href="static/css/prettify.css">

  <script>
     var _staticFilePath = "static/";
     var _typeTreeName = "goog";
     var _fileTreeName = "Source";
  </script>

  <script src="static/js/doc.js">
  </script>


  <meta charset="utf8">
</head>

<body onload="grokdoc.onLoad();">

<div id="header">
  <div class="g-section g-tpl-50-50 g-split">
    <div class="g-unit g-first">
      <a id="logo" href="index.html">Closure Library API Documentation</a>
    </div>

    <div class="g-unit">
      <div class="g-c">
        <strong>Go to class or file:</strong>
        <input type="text" id="ac">
      </div>
    </div>
  </div>
</div>

<div class="clear"></div>

<h2><a href="local_closure_goog_html_safestyle.js.html">safestyle.js</a></h2>

<pre class="prettyprint lang-js">
<a name="line1"></a>// Copyright 2014 The Closure Library Authors. All Rights Reserved.
<a name="line2"></a>//
<a name="line3"></a>// Licensed under the Apache License, Version 2.0 (the &quot;License&quot;);
<a name="line4"></a>// you may not use this file except in compliance with the License.
<a name="line5"></a>// You may obtain a copy of the License at
<a name="line6"></a>//
<a name="line7"></a>//      http://www.apache.org/licenses/LICENSE-2.0
<a name="line8"></a>//
<a name="line9"></a>// Unless required by applicable law or agreed to in writing, software
<a name="line10"></a>// distributed under the License is distributed on an &quot;AS-IS&quot; BASIS,
<a name="line11"></a>// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
<a name="line12"></a>// See the License for the specific language governing permissions and
<a name="line13"></a>// limitations under the License.
<a name="line14"></a>
<a name="line15"></a>/**
<a name="line16"></a> * @fileoverview The SafeStyle type and its builders.
<a name="line17"></a> *
<a name="line18"></a> * TODO(user): Link to document stating type contract.
<a name="line19"></a> */
<a name="line20"></a>
<a name="line21"></a>goog.provide(&#39;goog.html.SafeStyle&#39;);
<a name="line22"></a>
<a name="line23"></a>goog.require(&#39;goog.asserts&#39;);
<a name="line24"></a>goog.require(&#39;goog.string&#39;);
<a name="line25"></a>goog.require(&#39;goog.string.Const&#39;);
<a name="line26"></a>goog.require(&#39;goog.string.TypedString&#39;);
<a name="line27"></a>
<a name="line28"></a>
<a name="line29"></a>
<a name="line30"></a>/**
<a name="line31"></a> * A string-like object which represents a sequence of CSS declarations
<a name="line32"></a> * ({@code propertyName1: propertyvalue1; propertyName2: propertyValue2; ...})
<a name="line33"></a> * and that carries the security type contract that its value, as a string,
<a name="line34"></a> * will not cause untrusted script execution (XSS) when evaluated as CSS in a
<a name="line35"></a> * browser.
<a name="line36"></a> *
<a name="line37"></a> * Instances of this type must be created via the factory method,
<a name="line38"></a> * ({@code goog.html.SafeStyle.fromConstant}), and not by invoking its
<a name="line39"></a> * constructor. The constructor intentionally takes no parameters and the type
<a name="line40"></a> * is immutable; hence only a default instance corresponding to the empty
<a name="line41"></a> * string can be obtained via constructor invocation.
<a name="line42"></a> *
<a name="line43"></a> * A SafeStyle&#39;s string representation ({@link #getSafeStyleString()}) can
<a name="line44"></a> * safely:
<a name="line45"></a> * &lt;ul&gt;
<a name="line46"></a> *   &lt;li&gt;Be interpolated as the entire content of a *quoted* HTML style
<a name="line47"></a> *       attribute, or before already existing properties. The SafeStyle string
<a name="line48"></a> *       *must be HTML-attribute-escaped* (where &quot; and &#39; are escaped) before
<a name="line49"></a> *       interpolation.
<a name="line50"></a> *   &lt;li&gt;Be interpolated as the entire content of a {}-wrapped block within a
<a name="line51"></a> *       stylesheet, or before already existing properties. The SafeStyle string
<a name="line52"></a> *       should not be escaped before interpolation. SafeStyle&#39;s contract also
<a name="line53"></a> *       guarantees that the string will not be able to introduce new properties
<a name="line54"></a> *       or elide existing ones.
<a name="line55"></a> *   &lt;li&gt;Be assigned to the style property of a DOM node. The SafeStyle string
<a name="line56"></a> *       should not be escaped before being assigned to the property.
<a name="line57"></a> * &lt;/ul&gt;
<a name="line58"></a> *
<a name="line59"></a> * A SafeStyle may never contain literal angle brackets. Otherwise, it could
<a name="line60"></a> * be unsafe to place a SafeStyle into a &amp;lt;style&amp;gt; tag (where it can&#39;t
<a name="line61"></a> * be HTML escaped). For example, if the SafeStyle containing
<a name="line62"></a> * &quot;{@code font: &#39;foo &amp;lt;style/&amp;gt;&amp;lt;script&amp;gt;evil&amp;lt;/script&amp;gt;&#39;}&quot; were
<a name="line63"></a> * interpolated within a &amp;lt;style&amp;gt; tag, this would then break out of the
<a name="line64"></a> * style context into HTML.
<a name="line65"></a> *
<a name="line66"></a> * A SafeStyle may contain literal single or double quotes, and as such the
<a name="line67"></a> * entire style string must be escaped when used in a style attribute (if
<a name="line68"></a> * this were not the case, the string could contain a matching quote that
<a name="line69"></a> * would escape from the style attribute).
<a name="line70"></a> *
<a name="line71"></a> * Values of this type must be composable, i.e. for any two values
<a name="line72"></a> * {@code style1} and {@code style2} of this type,
<a name="line73"></a> * {@code style1.getSafeStyleString() + style2.getSafeStyleString()} must
<a name="line74"></a> * itself be a value that satisfies the SafeStyle type constraint. This
<a name="line75"></a> * requirement implies that for any value {@code style} of this type,
<a name="line76"></a> * {@code style.getSafeStyleString()} must not end in a &quot;property value&quot; or
<a name="line77"></a> * &quot;property name&quot; context. For example, a value of {@code background:url(&quot;}
<a name="line78"></a> * or {@code font-} would not satisfy the SafeStyle contract. This is because
<a name="line79"></a> * concatenating such strings with a second value that itself does not contain
<a name="line80"></a> * unsafe CSS can result in an overall string that does. For example, if
<a name="line81"></a> * {@code javascript:evil())&quot;} is appended to {@code background:url(&quot;}, the
<a name="line82"></a> * resulting string may result in the execution of a malicious script.
<a name="line83"></a> *
<a name="line84"></a> * TODO(user): Consider whether we should implement UTF-8 interchange
<a name="line85"></a> * validity checks and blacklisting of newlines (including Unicode ones) and
<a name="line86"></a> * other whitespace characters (\t, \f). Document here if so and also update
<a name="line87"></a> * SafeStyle.fromConstant().
<a name="line88"></a> *
<a name="line89"></a> * The following example values comply with this type&#39;s contract:
<a name="line90"></a> * &lt;ul&gt;
<a name="line91"></a> *   &lt;li&gt;&lt;pre&gt;width: 1em;&lt;/pre&gt;
<a name="line92"></a> *   &lt;li&gt;&lt;pre&gt;height:1em;&lt;/pre&gt;
<a name="line93"></a> *   &lt;li&gt;&lt;pre&gt;width: 1em;height: 1em;&lt;/pre&gt;
<a name="line94"></a> *   &lt;li&gt;&lt;pre&gt;background:url(&#39;http://url&#39;);&lt;/pre&gt;
<a name="line95"></a> * &lt;/ul&gt;
<a name="line96"></a> * In addition, the empty string is safe for use in a CSS attribute.
<a name="line97"></a> *
<a name="line98"></a> * The following example values do NOT comply with this type&#39;s contract:
<a name="line99"></a> * &lt;ul&gt;
<a name="line100"></a> *   &lt;li&gt;&lt;pre&gt;background: red&lt;/pre&gt; (missing a trailing semi-colon)
<a name="line101"></a> *   &lt;li&gt;&lt;pre&gt;background:&lt;/pre&gt; (missing a value and a trailing semi-colon)
<a name="line102"></a> *   &lt;li&gt;&lt;pre&gt;1em&lt;/pre&gt; (missing an attribute name, which provides context for
<a name="line103"></a> *       the value)
<a name="line104"></a> * &lt;/ul&gt;
<a name="line105"></a> *
<a name="line106"></a> * @see goog.html.SafeStyle#fromConstant
<a name="line107"></a> * @see http://www.w3.org/TR/css3-syntax/
<a name="line108"></a> * @constructor
<a name="line109"></a> * @final
<a name="line110"></a> * @struct
<a name="line111"></a> * @implements {goog.string.TypedString}
<a name="line112"></a> */
<a name="line113"></a>goog.html.SafeStyle = function() {
<a name="line114"></a>  /**
<a name="line115"></a>   * The contained value of this SafeStyle.  The field has a purposely
<a name="line116"></a>   * ugly name to make (non-compiled) code that attempts to directly access this
<a name="line117"></a>   * field stand out.
<a name="line118"></a>   * @private {string}
<a name="line119"></a>   */
<a name="line120"></a>  this.privateDoNotAccessOrElseSafeStyleWrappedValue_ = &#39;&#39;;
<a name="line121"></a>
<a name="line122"></a>  /**
<a name="line123"></a>   * A type marker used to implement additional run-time type checking.
<a name="line124"></a>   * @see goog.html.SafeStyle#unwrap
<a name="line125"></a>   * @const
<a name="line126"></a>   * @private
<a name="line127"></a>   */
<a name="line128"></a>  this.SAFE_STYLE_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ =
<a name="line129"></a>      goog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_;
<a name="line130"></a>};
<a name="line131"></a>
<a name="line132"></a>
<a name="line133"></a>/**
<a name="line134"></a> * @override
<a name="line135"></a> * @const
<a name="line136"></a> */
<a name="line137"></a>goog.html.SafeStyle.prototype.implementsGoogStringTypedString = true;
<a name="line138"></a>
<a name="line139"></a>
<a name="line140"></a>/**
<a name="line141"></a> * Creates a SafeStyle object from a compile-time constant string.
<a name="line142"></a> *
<a name="line143"></a> * {@code style} should be in the format
<a name="line144"></a> * {@code name: value; [name: value; ...]} and must not have any &lt; or &gt;
<a name="line145"></a> * characters in it. This is so that SafeStyle&#39;s contract is preserved,
<a name="line146"></a> * allowing the SafeStyle to correctly be interpreted as a sequence of CSS
<a name="line147"></a> * declarations and without affecting the syntactic structure of any
<a name="line148"></a> * surrounding CSS and HTML.
<a name="line149"></a> *
<a name="line150"></a> * This method performs basic sanity checks on the format of {@code style}
<a name="line151"></a> * but does not constrain the format of {@code name} and {@code value}, except
<a name="line152"></a> * for disallowing tag characters.
<a name="line153"></a> *
<a name="line154"></a> * @param {!goog.string.Const} style A compile-time-constant string from which
<a name="line155"></a> *     to create a SafeStyle.
<a name="line156"></a> * @return {!goog.html.SafeStyle} A SafeStyle object initialized to
<a name="line157"></a> *     {@code style}.
<a name="line158"></a> */
<a name="line159"></a>goog.html.SafeStyle.fromConstant = function(style) {
<a name="line160"></a>  var styleString = goog.string.Const.unwrap(style);
<a name="line161"></a>  if (styleString.length === 0) {
<a name="line162"></a>    return goog.html.SafeStyle.EMPTY;
<a name="line163"></a>  }
<a name="line164"></a>  goog.asserts.assert(!/[&lt;&gt;]/.test(styleString),
<a name="line165"></a>      &#39;Forbidden characters in style string: &#39; + styleString);
<a name="line166"></a>  goog.asserts.assert(goog.string.endsWith(styleString, &#39;;&#39;),
<a name="line167"></a>      &#39;Last character of style string is not \&#39;;\&#39;: &#39; + styleString);
<a name="line168"></a>  goog.asserts.assert(goog.string.contains(styleString, &#39;:&#39;),
<a name="line169"></a>      &#39;Style string must contain at least one \&#39;:\&#39;, to &#39; +
<a name="line170"></a>      &#39;specify a &quot;name: value&quot; pair: &#39; + styleString);
<a name="line171"></a>  return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse_(
<a name="line172"></a>      styleString);
<a name="line173"></a>};
<a name="line174"></a>
<a name="line175"></a>
<a name="line176"></a>/**
<a name="line177"></a> * Returns this SafeStyle&#39;s value as a string.
<a name="line178"></a> *
<a name="line179"></a> * IMPORTANT: In code where it is security relevant that an object&#39;s type is
<a name="line180"></a> * indeed {@code SafeStyle}, use {@code goog.html.SafeStyle.unwrap} instead of
<a name="line181"></a> * this method. If in doubt, assume that it&#39;s security relevant. In particular,
<a name="line182"></a> * note that goog.html functions which return a goog.html type do not guarantee
<a name="line183"></a> * the returned instance is of the right type. For example:
<a name="line184"></a> *
<a name="line185"></a> * &lt;pre&gt;
<a name="line186"></a> * var fakeSafeHtml = new String(&#39;fake&#39;);
<a name="line187"></a> * fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype;
<a name="line188"></a> * var newSafeHtml = goog.html.SafeHtml.from(fakeSafeHtml);
<a name="line189"></a> * // newSafeHtml is just an alias for fakeSafeHtml, it&#39;s passed through by
<a name="line190"></a> * // goog.html.SafeHtml.from() as fakeSafeHtml instanceof goog.html.SafeHtml.
<a name="line191"></a> * &lt;/pre&gt;
<a name="line192"></a> *
<a name="line193"></a> * @see goog.html.SafeStyle#unwrap
<a name="line194"></a> * @override
<a name="line195"></a> */
<a name="line196"></a>goog.html.SafeStyle.prototype.getTypedStringValue = function() {
<a name="line197"></a>  return this.privateDoNotAccessOrElseSafeStyleWrappedValue_;
<a name="line198"></a>};
<a name="line199"></a>
<a name="line200"></a>
<a name="line201"></a>if (goog.DEBUG) {
<a name="line202"></a>  /**
<a name="line203"></a>   * Returns a debug string-representation of this value.
<a name="line204"></a>   *
<a name="line205"></a>   * To obtain the actual string value wrapped in a SafeStyle, use
<a name="line206"></a>   * {@code goog.html.SafeStyle.unwrap}.
<a name="line207"></a>   *
<a name="line208"></a>   * @see goog.html.SafeStyle#unwrap
<a name="line209"></a>   * @override
<a name="line210"></a>   */
<a name="line211"></a>  goog.html.SafeStyle.prototype.toString = function() {
<a name="line212"></a>    return &#39;SafeStyle{&#39; +
<a name="line213"></a>        this.privateDoNotAccessOrElseSafeStyleWrappedValue_ + &#39;}&#39;;
<a name="line214"></a>  };
<a name="line215"></a>}
<a name="line216"></a>
<a name="line217"></a>
<a name="line218"></a>/**
<a name="line219"></a> * Performs a runtime check that the provided object is indeed a
<a name="line220"></a> * SafeStyle object, and returns its value.
<a name="line221"></a> *
<a name="line222"></a> * @param {!goog.html.SafeStyle} safeStyle The object to extract from.
<a name="line223"></a> * @return {string} The safeStyle object&#39;s contained string, unless
<a name="line224"></a> *     the run-time type check fails. In that case, {@code unwrap} returns an
<a name="line225"></a> *     innocuous string, or, if assertions are enabled, throws
<a name="line226"></a> *     {@code goog.asserts.AssertionError}.
<a name="line227"></a> */
<a name="line228"></a>goog.html.SafeStyle.unwrap = function(safeStyle) {
<a name="line229"></a>  // Perform additional Run-time type-checking to ensure that
<a name="line230"></a>  // safeStyle is indeed an instance of the expected type.  This
<a name="line231"></a>  // provides some additional protection against security bugs due to
<a name="line232"></a>  // application code that disables type checks.
<a name="line233"></a>  // Specifically, the following checks are performed:
<a name="line234"></a>  // 1. The object is an instance of the expected type.
<a name="line235"></a>  // 2. The object is not an instance of a subclass.
<a name="line236"></a>  // 3. The object carries a type marker for the expected type. &quot;Faking&quot; an
<a name="line237"></a>  // object requires a reference to the type marker, which has names intended
<a name="line238"></a>  // to stand out in code reviews.
<a name="line239"></a>  if (safeStyle instanceof goog.html.SafeStyle &amp;&amp;
<a name="line240"></a>      safeStyle.constructor === goog.html.SafeStyle &amp;&amp;
<a name="line241"></a>      safeStyle.SAFE_STYLE_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ ===
<a name="line242"></a>          goog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_) {
<a name="line243"></a>    return safeStyle.privateDoNotAccessOrElseSafeStyleWrappedValue_;
<a name="line244"></a>  } else {
<a name="line245"></a>    goog.asserts.fail(
<a name="line246"></a>        &#39;expected object of type SafeStyle, got \&#39;&#39; + safeStyle + &#39;\&#39;&#39;);
<a name="line247"></a>    return &#39;type_error:SafeStyle&#39;;
<a name="line248"></a>  }
<a name="line249"></a>};
<a name="line250"></a>
<a name="line251"></a>
<a name="line252"></a>/**
<a name="line253"></a> * Utility method to create SafeStyle instances.
<a name="line254"></a> *
<a name="line255"></a> * This function is considered &quot;package private&quot;, i.e. calls (using &quot;suppress
<a name="line256"></a> * visibility&quot;) from other files within this package are considered acceptable.
<a name="line257"></a> * DO NOT call this function from outside the goog.html package; use appropriate
<a name="line258"></a> * wrappers instead.
<a name="line259"></a> *
<a name="line260"></a> * @param {string} style The string to initialize the SafeStyle object with.
<a name="line261"></a> * @return {!goog.html.SafeStyle} The initialized SafeStyle object.
<a name="line262"></a> * @private
<a name="line263"></a> */
<a name="line264"></a>goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse_ =
<a name="line265"></a>    function(style) {
<a name="line266"></a>  var safeStyle = new goog.html.SafeStyle();
<a name="line267"></a>  safeStyle.privateDoNotAccessOrElseSafeStyleWrappedValue_ = style;
<a name="line268"></a>  return safeStyle;
<a name="line269"></a>};
<a name="line270"></a>
<a name="line271"></a>
<a name="line272"></a>/**
<a name="line273"></a> * A SafeStyle instance corresponding to the empty string.
<a name="line274"></a> * @const {!goog.html.SafeStyle}
<a name="line275"></a> */
<a name="line276"></a>goog.html.SafeStyle.EMPTY =
<a name="line277"></a>    goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse_(&#39;&#39;);
<a name="line278"></a>
<a name="line279"></a>
<a name="line280"></a>/**
<a name="line281"></a> * Type marker for the SafeStyle type, used to implement additional
<a name="line282"></a> * run-time type checking.
<a name="line283"></a> * @const
<a name="line284"></a> * @private
<a name="line285"></a> */
<a name="line286"></a>goog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = {};
</pre>


</body>
</html>
